2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
32 run_dir = ${localstatedir}/run
35 # pidfile: Where to place the PID of the RADIUS server.
37 # The server may be signalled while it's running by using this
40 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
42 pidfile = ${run_dir}/radiusd.pid
45 # user/group: The name (or #number) of the user/group to run httpd as.
46 # On SCO (ODT 3) use "user = nouser" and "group = nogroup".
47 # On HPUX you may not be able to use shared memory as nobody, and the
48 # suggested workaround is to create a user www and use that user.
50 # NOTE that some kernels refuse to setgid(group)
51 # when the value of (unsigned)group is above 60000;
52 # don't use group nobody on these systems!
54 # On systems with shadow passwords, you might have to set 'group = shadow'
55 # for the server to be able to read the shadow password file.
61 # max_request_time: The maximum time (in seconds) to handle a request.
63 # Requests which take more time than this to process are killed, and
64 # a REJECT message is returned.
66 # Useful range of values: 5 to 120
71 # cleanup_delay: The time to wait (in seconds) before cleaning up
72 # a reply which was sent to the NAS.
74 # The RADIUS request is normally cached internally for a short period
75 # of time, after the reply is sent to the NAS. The reply packet may be
76 # lost in the network, and the NAS will not see it. The NAS will then
77 # re-send the request, and the server will respond quickly with the
80 # If this value is set too low, then duplicate requests from the NAS
81 # MAY NOT be detected, and will instead be handled as seperate requests.
83 # If this value is set too high, then the server will cache too many
84 # requests, and some new requests may get blocked. (See 'max_requests'.)
86 # Useful range of values: 2 to 10
91 # max_requests: The maximum number of requests which the server keeps
92 # track of. This should be 256 multiplied by the number of clients.
93 # e.g. With 4 clients, this number should be 1024.
95 # If this number is too low, then when the server becomes busy,
96 # it will not respond to any new requests, until the 'cleanup_delay'
97 # time has passed, and it has removed the old requests.
99 # If this number is set too high, then the server will use a bit more
100 # memory for no real benefit.
102 # If you aren't sure what it should be set to, it's better to set it
103 # too high than too low. Setting it to 1000 per client is probably
104 # the highest it should be.
106 # Useful range of values: 256 to infinity
111 # bind_address: Make the server listen on a particular IP address, and
112 # send replies out from that address. This directive is most useful
113 # for machines with multiple IP addresses on one interface.
115 # It can either contain "*", or an IP address, or a fully qualified
116 # Internet domain name. The default is "*"
121 # port: Allows you to bind FreeRADIUS to a specific port.
123 # The default port that most NAS boxes use is 1645, which is historical.
124 # RFC 2138 defines 1812 to be the new port. Many new servers and
125 # NAS boxes use 1812, which can create interoperability problems.
127 # The port is defined here to be 0 so that the server will pick up
128 # the machine's local configuration for the radius port, as defined
131 # If you want to use the default RADIUS port as defined on your server,
132 # (usually through 'grep radius /etc/services') set this to 0 (zero).
134 # A port given on the command-line via '-p' over-rides this one.
139 # Which program to execute check doing concurrency checks.
141 checkrad = ${sbindir}/checkrad
144 # hostname_lookups: Log the names of clients or just their IP addresses
145 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
146 # The default is off because it'd be overall better for the net if people
147 # had to knowingly turn this feature on, since enabling it means that
148 # each client request will result in AT LEAST one lookup request to the
151 # Turning hostname lookups off also means that the server won't block
152 # for 30 seconds, if it sees an IP address which has no name associated
155 # allowed values: {no, yes}
157 hostname_lookups = no
160 # Core dumps are a bad thing. This should only be set to 'yes'
161 # if you're debugging a problem with the server.
163 # allowed values: {no, yes}
165 allow_core_dumps = no
168 # Log the full User-Name attribute, as it was found in the request.
170 # allowed values: {no, yes}
172 log_stripped_names = no
175 # Log authentication requests to the log file.
177 # allowed values: {no, yes}
182 # Log passwords with the authentication requests.
184 # allowed values: {no, yes}
189 # usercollide: Turn user collision code on and off.
190 # See README.usercollide
195 # lower_user / lower_pass:
196 # Lowercase the username/password before processing it
197 # This is as close as we can get to case insensitivity. It is
198 # the admin's job to ensure that the username on the auth
199 # db side is *also* lowercase to make this work
200 # Default is 'no' (don't lowercase values)
206 # If you have configured above to lowercase the username and
207 # password, you can decide here *when* to do that. You can
208 # lowercase them "before" any processing occurs, or you can
209 # lowercase "after" authentication processing once and the
210 # server will retry with the new lowercased values.
212 # Valid values: "before" / "after"
215 # nospace_user / nospace_pass:
216 # Some users like to enter spaces in their username or
217 # password incorrectly. To save yourself the tech support
218 # call, you can eliminate those spaces here:
219 # Default is 'no' (don't remove spaces)
224 # See above for lower_time explanation. Works the same way
225 # except does nospace processing.
227 # Valid values: "before" / "after"
228 nospace_time = before
231 #######################################################################
233 # Include optional/module specific configurations.
236 # PROXY CONFIGURATION
238 # proxy_requests: Turns proxying of RADIUS requests on or off.
240 # The server has proxying turned on by default. If your system is NOT
241 # set up to proxy requests to another server, then you can turn proxying
242 # off here. This will save a small amount of resources on the server.
244 # If you have proxying turned off, and your configuration files say
245 # to proxy a request, then an error message will be logged.
247 # allowed values: {no, yes}
249 # To disable proxying, change the "yes" to "no", and comment the
252 $INCLUDE ${confdir}/proxy.conf
254 # CLIENTS CONFIGURATION
256 # Client configuration is defined in "clients.conf". If you don't
257 # use the "clients.conf", you can comment the following. The use of
258 # "clients.conf" is recommended over the old "clients", though both
261 $INCLUDE ${confdir}/clients.conf
265 # Snmp configuration is only valid if you enabled SNMP support when
266 # you compiled radius. To enable SNMP configuration, uncomment the
268 $INCLUDE ${confdir}/snmp.conf
271 #######################################################################
273 # Thread pool configuration.
275 # The thread pool is a long-lived group of threads which
276 # take turns (round-robin) handling any incoming requests.
279 # You probably want to have a few spare threads around,
280 # so that high-load situations can be handled immediately. If you
281 # don't have any spare threads, then the request handling will
282 # be delayed while a new thread is created, and added to the pool.
284 # You probably don't want too many spare threads around,
285 # otherwise they'll be sitting there taking up resources, and
286 # not doing anything productive.
288 # The numbers given below should be adequate for most situations.
293 # Number of servers to start initially --- should be a reasonable ballpark
299 # Limit on the total number of servers running.
301 # If this limit is ever reached, clients will be LOCKED OUT, so it
302 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
303 # keep a runaway server from taking the system with it as it spirals
309 # Server-pool size regulation. Rather than making you guess how many
310 # servers you need, FreeRADIUS dynamically adapts to the load it
311 # sees --- that is, it tries to maintain enough servers to
312 # handle the current load, plus a few spare servers to handle transient
315 # It does this by periodically checking how many servers are waiting
316 # for a request. If there are fewer than min_spare_servers, it creates
317 # a new spare. If there are more than max_spare_servers, some of the
318 # spares die off. The default values are probably OK for most sites.
320 min_spare_servers = 3
321 max_spare_servers = 10
324 # There may be memory leaks or resource allocation problems with
325 # the server. If so, set this value to 300 or so, so that the
326 # resources will be cleaned up periodically.
328 # This should only be necessary if there are serious bugs in the
329 # server which have not yet been fixed.
331 # '0' is a special value meaning 'infinity', or 'the servers never exit'
333 max_requests_per_server = 0
338 # No config options for this yet
342 # Cache /etc/passwd, /etc/shadow, and /etc/group
344 # The default is to NOT cache them. However, caching them can
345 # speed up system authentications by a substantial amount.
347 # allowed values: {no, yes}
351 # Define the locations of the normal passwd, shadow, and
354 # 'shadow' is commented out by default, because not all
355 # systems have shadow passwords.
358 # shadow = /etc/shadow
362 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
363 # Also uncomment it in the authenticate{} block below
366 # login = "cn=admin,o=My Org,c=US"
368 # basedn = "o=My Org,c=US"
369 # filter = "(uid=%u)"
373 # You can have multiple instances of the realm module to
374 # support multiple realm syntaxs at the same time. The
375 # search order is defined the order in the authorize and
376 # preacct blocks after the module config block.
378 # Two config options:
379 # format - must be 'prefix' or 'suffix'
380 # delimiter - must be a single character
404 huntgroups = ${confdir}/huntgroups
405 hints = ${confdir}/hints
408 # This hack changes Ascend's wierd port numberings
409 # to standard 0-??? port numbers so that the "+" works
410 # for IP address assignments.
412 with_ascend_hack = no
413 ascend_channels_per_line = 23
416 # Windows NT machines often authenticate themselves as
419 # If this is set to 'yes', then the NT_DOMAIN portion
420 # of the user-name is silently discarded.
422 with_ntdomain_hack = no
425 # Specialix Jetstream 8500 24 port access server.
427 # If the user name is 10 characters or longer, a "/"
428 # and the excess characters after the 10th are
429 # appended to the user name.
431 # If you're not running that NAS, you don't need
434 with_specialix_jetstream_hack = no
437 usersfile = ${confdir}/users
438 acctusersfile = ${confdir}/acct_users
441 # If you want to use the old Cistron 'users' file
442 # with FreeRADIUS, you should change the next line
443 # to 'compat = cistron'. You can the copy your 'users'
449 # See README.rlm_fastusers before using this
450 # module or changing these values
452 usersfile = ${confdir}/users_fast
455 normal_defaults = yes
459 detailfile = %A/%n/detail
463 # This module will add a (probably) unique session id
464 # to an accounting packet based on the attributes listed
465 # below found in the packet. see doc/README.rlm_acct_unique
467 key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port-Id"
472 # Configuration for the SQL module.
479 password = "rootpass"
481 # Database table configuration
483 acct_table = "radacct"
485 authcheck_table = "radcheck"
486 authreply_table = "radreply"
488 groupcheck_table = "radgroupcheck"
489 groupreply_table = "radgroupreply"
491 usergroup_table = "usergroup"
493 realms_table = "realms"
494 realmgroup_table = "realmgroup"
496 # Check case on usernames
497 sensitiveusername = no
499 # Remove stale session if checkrad does not see a double login
500 deletestalesessions = yes
502 # Print all SQL statements when in debug mode (-x)
504 sqltracefile = ${logdir}/sqltrace.sql
506 # number of sql connections to make to server
511 # A second instance of the same module, with the name "sql2" to identify it
516 server = "myothersever"
518 password = "rootpass"
520 # Database table configuration
522 acct_table = "radacct"
524 authcheck_table = "radcheck"
525 authreply_table = "radreply"
527 groupcheck_table = "radgroupcheck"
528 groupreply_table = "radgroupreply"
530 usergroup_table = "usergroup"
532 realms_table = "realms"
533 realmgroup_table = "realmgroup"
535 # Check case on usernames
536 sensitiveusername = no
538 # Remove stale session if checkrad does not see a double login
539 deletestalesessions = yes
541 # Print all SQL statements when in debug mode (-x)
545 #######################################################################
547 # Configuration for the example module. Uncommenting it will cause it
548 # to get loaded and initialized, but should have no real effect as long
549 # it is not referencened in one of the autz/auth/preacct/acct sections
555 # allowed values: {no, yes}
560 # An integer, of any value.
567 string = "This is an example configuration string"
570 # An IP address, either in dotted quad (1.2.3.4) or hostname
579 anotherinteger = 1000
584 string = "This is a different string"
590 # Authentication types, Auth-Type = System and PAM for now.
594 # By grouping modules together in an authtype block, that authtype will be
595 # tried on each module in sequence until one returns REJECT or OK. This
596 # allows authentication failover if the first SQL server has crashed, for
602 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
606 # Authorization. First preprocess (hints and huntgroups files),
607 # then realms, and finally look in the "users" file.
608 # The order of the realm modules will determine the order that
609 # we try to find a matching realm.
610 # Make *sure* that 'preprocess' comes before any realm if you
611 # need to setup hints for the remote radius server
618 # Pre-accounting. Look for proxy realm in order of realms, then
619 # acct_users file, then preprocess (hints file).
626 # Accounting. Log to detail file, and to the radwtmp file.
633 # Session database, used for checking Simultaneous-Use. The radutmp module